User:Cryptoproject2010

Wiener's Attack
Introduction

The system of RSA is frequently used for security application such as email, credit card payments, login network access, etc. One of RSA attacks is suggested by Michael Wiener. He uses continued fraction method to exploit an error made in the use of RSA. The example of situation is when we are doing transactions using credit card or setting devices mobile phone. By using Wiener’s attack, we can see that choosing a small value for d will result an insecure system in which we can recover all secret information. To improve the RSA decryption performance in the matter of running-time, Alice might tend to use a small value of $$d $$, rather than a large random number. A small private key indeed will improve performance dramatically, but unfortunately, an attack posed by M.Wiener shows that a small $$d $$ leads to a total collapse of RSA cryptosystem. This break of RSA is base on Wiener’s Theorem, which in general provides a lower constraint for $$d $$. Wiener has proved that Marvin may efficiently find d when $$d< \frac{1}{3}N^{ \frac{1}{4}} $$. In addition to his success in RSA-attack, Wiener also discovered a number of techniques that enable fast decryption and are not susceptible to his attack.

To reduce decryption time (or signature—generation time), one may wish to use a small value of d rather than a random d. Since modular exponentiation takes time linear in log2 d, a small d can improve performance by at least a factor of 10 (for a 1024 bit modulus). Unfortunately, a clever attack due to M. Wiener shows that a small d results in a total break of the cryptosystem.

Theorem (M. Wiener)
Let $$\ N = pq $$ with $$\ q < p < 2q $$. Let $$d < \frac{1}{3} N^{\frac{1}{4}}$$.

Given $$\left \langle N,e\right \rangle$$ with $$ed = 1 \bmod\ \varphi (N)$$, Marvin (eavesdropper) can efficiently recover d.

Proof

The proof is based on approximations using continued fractions. Since $$ed = 1\bmod \varphi (N)$$, there exists a $$\mathit {k}$$ such that $$ed - k \varphi (N) = 1$$. Therefore


 * $$\left | \frac {e}{\varphi (N)}- \frac {k}{d} \right \vert = \frac{1}{d \varphi (N)}$$

Hence, $$\frac {k}{d}$$ is an approximation of $$\frac{e}{\varphi(N)}$$. Although Marvin does not know $$\varphi(N)$$, he may use $$N $$

to approximate it. Indeed, since $$\varphi(N)= N-p-q+1 $$ and $$p+q-1<3 \sqrt{N} $$, we have:


 * $$\left \vert p+q-1 \right \vert < 3 \sqrt{N}$$


 * $$\left \vert N+1-\varphi (N)-1 \right \vert < 3 \sqrt{N}$$

Using N in place of $$\varphi(N)$$ we obtain:


 * $$\left \vert \frac{e}{N}- \frac{k}{d} \right \vert = \left \vert \frac{ed-kN}{Nd} \right \vert $$


 * $$\qquad = \left \vert \frac{ed-k \varphi (N)-kN+k \varphi (N)}{Nd} \right \vert $$


 * $$= \left \vert \frac{1-k(N+ \varphi (N))}{Nd} \right \vert $$


 * $$\le \left \vert \frac{3k \sqrt{N}}{Nd} \right \vert = \frac {3k \sqrt{N}}{\sqrt{N} \sqrt{N}d} = \frac {3k}{d \sqrt{N}} $$

Now, $$k \varphi (N)=ed-1 \frac{1}{N^{ \frac{1}{4}}} ...... (2) $$

From (1) and (2), we can conclude that


 * $$\left \vert \frac{e}{N}- \frac{k}{d} \right \vert \le \frac{3k}{d \sqrt{N}}< \frac{1}{d.2d}= \frac{1}{2d^2} \blacksquare$$

This is a classic approximation relation. The number of fractions $$\frac{k}{d} $$ with $$ d<N $$ approximating $$\frac{e}{N} $$so closely is bounded by $$log_2N $$. In fact, al such fractions are obtained as convergents of the continued fraction expansion of $$\frac{e}{N} $$.

All one has to do is compute the$$ log N$$ convergents of the continued fraction for $$\frac{e}{N} $$. One of these will equal $$\frac{k}{d} $$. Since, we have $$\gcd(k,d) = 1 $$, and hence $$\frac{k}{d} $$ is a reduced fraction. This is a linear-time algorithm for recovering the secret key $$d $$. Two sample techniques are illustrated as the following.

Choosing large public key: Replacing  $$e $$ by $$e'$$, where  $$e'=e+t \phi(N) $$  for some large $$t $$. When $$e'$$ is sufficient large, i.e. $$e'>N^{ \frac{1}{2}} $$, then Weiner’s attack can not be mounted regardless of how small $$d $$ is.

Using Chinese Remainder Theorem: Suppose one chooses d such that both $$d_p = d \bmod\ (p-1) (N)$$and $$d_{qp} = d \bmod\ (q-1) (N)$$ are small, then a fast decryption of $$C $$can be carried out as follows:


 * 1) First compute $$M_p=C^{dp} $$ and $$M_p=C^{dp} \bmod\ p $$ and $$M_q=C^{dq} \bmod\ q $$


 * 1) Use the CRT to compute the unique value $$M \in \mathbb{ZN} $$ satisfying $$M=M_p \bmod\ p $$  and $$M=M_q \bmod\ q $$   . The resulting $$M $$ satisfies $$M=C^{d} \bmod\ N $$   as required.

The point is that the attack by Wiener’s Theorem does not apply here because the value of $$d \bmod\ \phi(N) $$ can be large.

Example
Suppose that the public key $$\left \langle N,e\right \rangle = \left \langle 90581,17993\right \rangle$$

If we want to attack, we have to determine $$d $$ and also find prime numbers $$p,q $$ such that $$N = p.q $$ and $$ \varphi (N) $$

by using Wiener Theorem and continued fractions to approx $$d$$

First we try to find the continued fractions of $$\frac{e}{N} $$

we know that


 * $$\frac{e}{N} = \frac{17993}{90581} = \cfrac{1}{5 + \cfrac{1}{29 + ... + \cfrac{1}{3}}} = \left [0,5,29,4,1,3,2,4,3 \right ]$$

according to the continued fractions expansion of $$\frac{e}{N} $$, the all convergents $$\frac{k}{d}$$ are


 * $$ \frac{k}{d} = 0, \frac{1}{5}, \frac{29}{146}, \frac{117}{589}, \frac{146}{733}, \frac{555}{2794}, \frac{1256}{6323}, \frac{5579}{28086}, \frac{17993}{90581}$$

We can verify that the first convergents do not produce a factorizations of $$N$$. however, the convergent $$\frac{1}{5}$$ yield


 * $$ \varphi (N) = \frac{e.d - 1}{k} = \frac{17993.5 - 1}{1} = 89964$$

Now, if we solve the equation


 * $$x^2 - \left ( \left (N - \varphi (N) \right ) + 1 \right )x + N = 0$$


 * $$x^2 - \left ( \left (90581 - 89964 \right ) + 1 \right )x + 90581 = 0$$


 * $$x^2 - \left (618 \right )x + 90581 = 0$$

then we find the root $$x = 379 ; 239$$. therefore we have found the factorization


 * $$N = 90581 = 379 \times 239 = p \times q$$

Notice that, for the modulus $$N = 90581$$, the Wiener's Theorem will work for


 * $$d < \frac{N^{ \frac{1}{4}}}{3} \approx 5,783$$

continued fractions

Coppersmith's attack
The Franklin-Reiter attack might seem a bit artificial. After all, why should Bob send Alice the encryption of related messages? Coppersmith strengthened the attack and proved an important result on padding. A naive random padding algorithm might pad a plaintext M by appending a few random bits to one of the ends. The following attack points out the danger of such simplistic padding. Suppose Bob sends a properly-padded encryption of M to Alice. An attacker, Marvin, intercepts the ciphertext and prevents it from reaching its destination. Bob notices that Alice did not respond to his message and decides to resend M to Alice. He randomly pads M and transmits the resulting ciphertext. Marvin now has two ciphertexts corresponding to two encryptions of the same message using two different random pads. The following theorem shows that although he does not know the pads used, Marvin is able to recover the plaintext.

Theorem
Theorem Let $$\left \langle N,e\right \rangle$$ be a public RSA key where $$ N $$ is $$n$$-bits long. Set $$m = \lfloor \frac{n}{e^2} \rfloor$$.Let $$M \in \mathbb {Z}^*_N$$ be a message of length at most $$ n-m $$ bits.Define $$M_1 = 2^m M + r_1$$ and $$ M_2 = 2^m M + r_2$$, where $$ r_1$$ and $$ r_2$$ are distinct integers with $$0 \le r_1,r_2 < 2^m$$. If Marvin is given $$\left \langle N,e\right \rangle$$ and the encryptions $$C_1,C_2$$ of $$M_1,M_2$$ (but is not given $$r_1$$ or $$r_2$$, he can efficiently recover $$M$$

Proof Define $$g_1(x,y) = x^e - C_1$$ and $$g_2(x,y) = x^e - C_2$$. We know that when $$y=r_2 - r_1$$, these polynomials have $$M_1$$ as a common root. In other words, $$\vartriangle =r_2 - r_1$$ is a rott of the “resultant” $$h(y) = rest_x(g_1,g_2) \in \mathbb {Z}_{N \left [y \right ]}$$. Furthermore, $$\left | \vartriangle \right | < 2^m < N^{ \frac {1}{e^2}}$$. Hence, $$\vartriangle $$ is a small root of $$h$$ modulo $$N$$, and Marvin can efficiently find it using Coppersmith's theorem. once $$\vartriangle $$ is known, the Franklin-Reiter attack can be used to recover $$M_2$$ and consequently $$M$$.